Finding the UEFI System Partition (ESP)#

1
sudo bootctl status

Creating Your Keys#

1
nix-shell -p sbctl
2
sudo sbctl create-keys

NOTE

If you have preexisting keys in /etc/secureboot migrate these to /var/lib/sbctl.

1
sbctl setup --migrate

Configuring NixOS#

• Add to flake.nix inputs

1
lanzaboote = {
2
    url = "github:nix-community/lanzaboote/v0.4.2";
3
    inputs.nixpkgs.follows = "nixpkgs";
4
};

• configuration.nix

1
{ pkgs, lib, ... }:
2
let
3
    sources = import ./nix/sources.nix;
4
    lanzaboote = import sources.lanzaboote;
5
in
6
{
7
  imports = [ lanzaboote.nixosModules.lanzaboote ];
8

9
  environment.systemPackages = [
10
    # For debugging and troubleshooting Secure Boot.
11
    pkgs.sbctl
12
  ];
13

14
  # Lanzaboote currently replaces the systemd-boot module.
15
  # This setting is usually set to true in configuration.nix
16
  # generated at installation time. So we force it to false
17
  # for now.
18
  boot.loader.systemd-boot.enable = lib.mkForce false;
19

20
  boot.lanzaboote = {
21
    enable = true;
22
    pkiBundle = "/var/lib/sbctl";
23
  };
24
}

Checking that your machine is ready for Secure Boot enforcement#

After rebuild system, check sbctl verify output:

1
sudo sbctl verify
2
Verifying file database and EFI images in /boot...
3
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
4
✓ /boot/EFI/Linux/nixos-generation-355.efi is signed
5
✓ /boot/EFI/Linux/nixos-generation-356.efi is signed
6
✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed
7
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed

It is expected that the files ending with bzImage.efi are not signed.

Entering Secure Boot Setup Mode#

The UEFI firmware allows enrolling Secure Boot keys when it is in Setup Mode.

On a Thinkpad enter the BIOS menu using the “Reboot into Firmware” entry in the systemd-boot boot menu. Once you are in the BIOS menu:

1. Select the “Security” tab.
2. Select the “Secure Boot” entry.
3. Set “Secure Boot” to enabled.
4. Select “Reset to Setup Mode”.

When you are done, press F10 to save and exit.

You can see these steps as a video here.

⚠️ Do not select “Clear All Secure Boot Keys” as it will drop the Forbidden Signature Database (dbx).

Enrolling Keys#

Once you’ve booted your system into NixOS again, you have to enroll your keys to activate Secure Boot. We include Microsoft keys here to avoid boot issues.

1
sudo sbctl enroll-keys --microsoft
2
Enrolling keys to EFI variables...
3
With vendor keys from microsoft...✓
4
Enrolled keys to the EFI variables!

⚠️ During boot, some hardware might include OptionROMs signed with Microsoft keys. By using the --microsoft, we enroll the Microsoft OEM certificates. Another more experimental option would be to enroll OptionROMs checksum seen at last boot using --tpm-eventlog, but these checksums might change later.

You can now reboot your system. After you’ve booted, Secure Boot is activated and in user mode:

1
bootctl status
2
System:
3
      Firmware: UEFI 2.70 (Lenovo 0.4720)
4
 Firmware Arch: x64
5
   Secure Boot: enabled (user)
6
  TPM2 Support: yes
7
  Boot into FW: supported

⚠️ If you used --microsoft while enrolling the keys, you might want to check that the Secure Boot Forbidden Signature Database (dbx) is not empty. A quick and dirty way is by checking the file size of /sys/firmware/efi/efivars/dbx-*. Keeping an up to date dbx reduces Secure Boot bypasses, see for example: https://uefi.org/sites/default/files/resources/dbx_release_info.pdf.